module.exports = function(req, res, next) {
    if (req.session.user) {
            var purview = req.session.user.usergroup.purview;
            purview = JSON.parse(purview);
            var controller = req.options.controller;
            var action = req.options.action;
            var purview_item = purview[controller];
            if (//开发组(id==0)采用黑名单制,黑名单中的controller必须指定action，否则视为不在黑名单内
			//其他用户组策略：controller采用白名单制，action采用黑名单制
				(
					req.session.user.usergroup.id==0&&
					(purview_item&&purview_item.indexOf(action) !== -1)
				)||(
					req.session.user.usergroup.id!=0&&
					(!purview_item||purview_item.indexOf(action) == -1)
				)
			) {
                req.session.flash = {
                    error: "没有权限进行此操作，请更换账号继续 !"
                };
				return res.forbidden();
            }
            res.locals.user = req.session.user;
            return next();
	}

	req.session.flash = {
		error: "登陆过期，请重新登陆!"
	};
	return res.redirect('/user/login');
	
};